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a computer system and a 
method for the protected distribution of certifi- 
cate and keying material between a certification 
authority and at least one entity in the certifica- 
authority's domain, comprising the steps of 
sending keying material, including a password, 
generated by the Certifying Authority to the entity 
medium; generating and protecting, 
by the entity, a public and a private key pair us- 
ing the keying material provided it by the certify- 
ing authority; generating, protecting and sending 
a request for a certificate to the certifying author- 
ity using the keying material provided it by the 
certifying authority; requesting, by the certifying 
authority, that the public key and address of the 
entity Ise sent to the certifying authority; protect- 
ing and sending the public key and address of the 
entity to the certifying authority using the keying 
material provided it by the certifying authority; 
assembling and issuing the certificate to the en- 
tity from the certifying authority and recording the 
public key of the entity at the certifying authority 
for public use within ttie domain of the certifying 
authority. 
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1 

PROTECTED DISTRIBUTION PROTOCOL 
2 POR KEYING AND CERTIFICATE MATERIAL 

■ 3 BACKGROUND OF THE INVENTION 

4 1. Field of the Invention 

** 5 This invention relates in general to computer security 

6 systems, and, more particularly, to a computer security 

7 system and a method for the protected distribution of 

8 certificate and keying material between a certification 

9 authority and an entity in the certification authority's 

10 domain. 

11 2 . Description of the Related Art 

12 In existing methods for distribution of certificate 

13 and keying material, the administrator must manually 

14 distribute the information to each end system (entity) and 

15 user. Administrators in the past were required to visit 

16 each system or user on the system more than once to 

17 initialize the information required to support the network 

18 security mechanism. 

19 The certificate or keying material is used later to 
2 0 authenticate and to protect the communications between 

21 distributed entities. If these materials are compromised 

22 in the initial distribution, then the confidentiality and 

23 authentication services cannot be assured during further 

24 operation. 

25 This manual distribution system is further fraught 
2 6 with difficulties in maintaining security in the physical 

27 ■ transportation of the keying materials between the 

28 Certification Authority and the various entities, and with 

29 the consequent time lag mandated by the actual wait times 

30 involved in moving from one entity to the other. All 
' 31 during this setup time, the various entities are denied 

32 access to the protected data for which they may have an 

33 immediate need. 

34 The present invention meets and overcomes this problem 

35 of maintaining security during the transfer of the keying 
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1 materials between entities and shortens the time during 

2 which access is denied an otherwise authorized entity to a 

3 minimum. 

4 The present invention reduces the required visits 

5 needed to install the necessary security access software to 

6 a single visit by using a password (shared secret) to 

7 generate the essential keying material to be used for both 

8 integrity and encryption services to protect the data 

9 necessary for authentication and network security protocol 

10 protection. 

11 OBJECTS AND SDMMMY OF THE IKVENTION 

12 Therefore, it is an object of the present invention to 

13 provide a computer security network system and a method for 

14 the protected distribution of certificate and keying 

15 material between a certification authority and an entity in 

16 the certification authority's domain. 

17 It is still another object of the present invention to 

18 provide a method and system that quickly provides 

19 authorized users control of their data. 

20 It is another object of the present invention to 

21 provide a method and system that facilitates, rather than 

22 prevents, the establishment of encoded public and private 

23 key data or documents classified at different security 

24 levels. 

25 The present invention provides a computer system and 

26 a method for the protected distribution of certificate' and 

27 keying material between a certification authority and an 

28 entity in the certification authority's domain by 

29 establishing a shared secret and using it to protect the 

30 data transferred between the entity and the certifying 

31 authority. 

32 The novel features of construction and operation of 

33 the invention will be more clearly apparent during the 

34 course of the following description, reference being had to 

35 the accompanying drawings wherein has been illustrated a 

36 preferred form of the device of the invention and wherein 
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1 like characters of reference designate like parts 

2 throughout the drawings. 

3 BRIEF DESCRIPTION OP THE PIGnRES 

4 FIGURE 1 is a block diagram flowchart showing the 

5 general overall logic flow through a system incorporating 

6 the present invention. 

7 DESCRIPTION OP THE PREFERRED EMBODIMENT 

8 A preferred form of the invention as embodied in a 

9 method and computing system for providing for the protected 

10 distribution of certificate and keying material between a 

11 certification authority and an entity in the certification 

12 authority's domain by establishing a shared secret and 

13 using it to protect the data transferred between the entity 

14 and the certifying authority. 

15 In general, as shown in FIGURE 1, the invention is 

16 found in a computer system operating over a network in 

17 accord with the following steps outlined below in detail to 

18 provide for the protected distribution of certificate and 

19 keying material between a certification authority and at 

20 least one entity in the certification authority's domain. 

21 The certifying authority begins by generating and 

22 sending keying material, including a password, to the 

23 subject entity via a first secure communications medium. 

24 In this instance, the most secure communications medium is 

25 a non-electronic medium, such as a manual courier, secure 

26 mail or other secure communications medium that is distinct 

27 from the computer system over which the keying material is 

28 to be used as described later in authenticating the entity 

29 to the certifying authority. 

3 0 Once the entity receives the keying material from the 

31 certifying authority, it then generates a public and a 

32 private key pair and protects the public key using the 

33 keying material provided it by the certifying authority. 

34 The entity now generates and protects a request for a 

35 certificate to the certifying authority by using the keying 
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1 material provided it by the certifying authority. Once 

2 generated and protected, the request is sent to the 

3 certifying authority via a second secure communications 

4 medium connecting the certifying authority with the 

5 entities in its certifying domain. 

6 once the certifying authority receives the request 

7 from the entity, the certifying authority authenticates the 

8 identity of the requesting entity. This is done by 

9 requesting, via the second secure communications medium, 

10 that the public key and address of the entity be sent to 

11 the certifying authority. 

12 The requesting entity, having received the 

13 authentication request from the certifying authority, 

14 protects the transmission of its selected public key and 

15 address to the certifying authority via the second secure 

16 communications medium, by using the keying material 

17 provided by the certifying authority. 

18 Once the identity of the requesting entity is 

19 confirmed, the certifying authority then assembles and 

20 issues the requested certificate to the entity via the 

21 second secure communications medium, and records the public 

22 key of the entity at the certifying authority for public 

23 use by other entities within the certifying domain of the 

24 certifying authority. 

25 The invention described above is, of course, 

26 susceptible to many variations, modifications and changes, 

27 all of which are within the skill of the art. It should be 

28 understood that all such variations, modifications and 

29 changes are within the spirit and scope of the invention 

30 and of the appended claims. Similarly, it will be 

31 understood that Applicant intends to cover and claim all 

32 changes, modifications and variations of the example of the 

33 preferred embodiment of the invention herein disclosed for 

34 the purpose of illustration which do not constitute 

35 departures from the spirit and scope of the- present 

36 invention. 
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VmHI IS CLAIMED IS: 

1 1. A method for the protected distribution of 

2 certificate and keying material between a certification 

3 authority and at least one entity in the certification 

4 authority's domain via a communications medixm connecting 

5 the certification authority and entities in its domain, 

6 comprising the steps of: 

7 sending keying material, including a password, 

8 generated by the certifying authority to the entity via a 

9 first secure communications medium; 

10 generating and protecting, by the entity, a public and 

11 a private key pair using the keying material provided the 

12 entity by the certifying authority; 

13 generating, protecting and sending via a second secure 

14 communications medium a request for a certificate to the 

15 certifying authority using the keying material provided the 

16 entity by the certifying authority; 

17 requesting, by the certifying authority via the second 

18 secure communications medium, that the public key and 

19 address of the entity be sent to the certifying authority; 

20 protecting and sending the public key and address of 

21 the entity to the certifying authority via the second 

22 secure communications medium using the keying material 

23 provided it by the certifying authority; 

24 assembling and issuing the certificate to the entity 

25 from the certifying authority via the second secure 

26 ; communications medium and recording the public key of the 

27 entity at the certifying authority for public use within 

28 the domain of the certifying authority. 

1 2. The method of claim 1 wherein said step of sending 

,^ 2 keying material, including a password, generated by the 

3 certifying authority to the entity via a first secure 

\ 4 communications medium further includes the step of: 

5 selecting the first secure communications medium that is 

6 separate and independent from the second secure 

7 communications medium. 



SUBSTITUTE SHEET (RULE 26) 



wo 95/14283 



PCTAJS94/12426 



3. The method of claim 1 wherein said step of sending 
keying material, including a password, generated by the 
certifying authority to the entity via a first secure 
communications medium further includes the step of: 
selecting a non-electronic transmission medium for the 
first secure communications medium. 
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